AD read only proxy for Windows Server 2003 REL2

We are implementing an external email filtering solution called Continuous
M@il. This product can be used with AD integration to check that an SMTP
receipient exists in our Exchange Orgainsation before accepting the email
from the sending SMTP server. We have been asked to allow the external
Continuous M@il service direct access to our DCs, via the internet, which I'm
not comfortable with. I know there is the option of read only DCs in
Server2008 which I would place in one of our DMZs to support the external
LDAP queries. However our AD is not 2008, so does anyone know what our
options would be with a 2003 REL2 AD?


--
Mark Collins
IT Systems Support Analyst
MCSE 2003

 

Hello Mark,

Have a look on AD FS:
http://technet.microsoft.com/en-us/library/cc755828.aspx

"Active Directory and the DMZ" in:
http://redmondmag.com/columns/article.asp?EditorialsID=1105

But if possible, you should avoid connecting AD to the DMZ. DMZ is made for
separating the domain from the outside world.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We are implementing an external email filtering solution called
> Continuous M@il. This product can be used with AD integration to check
> that an SMTP receipient exists in our Exchange Orgainsation before
> accepting the email from the sending SMTP server. We have been asked
> to allow the external Continuous M@il service direct access to our
> DCs, via the internet, which I'm not comfortable with. I know there is
> the option of read only DCs in Server2008 which I would place in one
> of our DMZs to support the external LDAP queries. However our AD is
> not 2008, so does anyone know what our options would be with a 2003
> REL2 AD?
>

 

Hello Meinholf,

Thanks for your input re AD Federation Services.

However, it seems AD FS is there to support authentication across Forests,
rather than for my requirement which does not require any authentication. The
firewall rules to the DMZ will only allow Continuous M@il into that DMZ on
ports 389 & 636, to check an that an SMTP address exists in our AD for the
recipient address.

Additionally we can make this access read only, it's just that I don't want
to place a DC outside of the internal network. Hence the proxy like access.

Many thanks,

Mark
--
Mark Collins
IT Systems Support Analyst
MCSE 2003


"Meinolf Weber [MVP-DS]" wrote:

> Hello Mark,
>
> Have a look on AD FS:
> http://technet.microsoft.com/en-us/library/cc755828.aspx
>
> "Active Directory and the DMZ" in:
> http://redmondmag.com/columns/article.asp?EditorialsID=1105
>
> But if possible, you should avoid connecting AD to the DMZ. DMZ is made for
> separating the domain from the outside world.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > We are implementing an external email filtering solution called
> > Continuous M@il. This product can be used with AD integration to check
> > that an SMTP receipient exists in our Exchange Orgainsation before
> > accepting the email from the sending SMTP server. We have been asked
> > to allow the external Continuous M@il service direct access to our
> > DCs, via the internet, which I'm not comfortable with. I know there is
> > the option of read only DCs in Server2008 which I would place in one
> > of our DMZs to support the external LDAP queries. However our AD is
> > not 2008, so does anyone know what our options would be with a 2003
> > REL2 AD?
> >
>
>
>